HELP !!! Listed in CBL and SMTP locked by Spamhaus

[uollan]

Hi,

I need help.... a big help.
I've a new server (2 months old) and i was continuously listed in CBL, now they have lock my SMTP and "no one" can send emails from my server!
I think this is terrible, and i think they can't do that... i'm working to fix it but i don't know what to do!

So.
I've exim 4 with directadmin and these are my acl:
acl_smtp_rcpt = check_recipient
acl_smtp_data = check_message

i've tested my server with telnet:
i can't send out e-mails to external server (ex: yahoo, gmail) without auth but i can send e-mails from me to me without.... i think this is the problem!
i receive a lot of spam from ME !!!

i've called all my customers and they now use their own internet providers to send out e-mail....

- I've tried to find a solution in the forum... but i can't find what i'm looking for!
- I've tryed to config withlist to send out only from one account (but i don't how it works really)... i've tryed to read a documentation.... uff...

help me please.!!!!

I don't think it's right that spamhaus can lock your ip, i know.. i have something to fix... but i also i've a server whit 40+ domain and a lot of infuriated customers that can't send e-mails!!! what a f..k!!!

Best regards... and thank you!
David

 

[AxlF]

Sorry to say that: But get an admin who knows what to do.

If you were blocked some times over the last two month, you got enough time to fix your problems. So I think it's okay that spamhaus locked you.

There are several tools out on google where you can check if you have run open relay.

If you have an open relay you need to fix that ASAP! (As said, if you don't know how, get one who knows it).

If you run the standard config of DA you should not have an open relay. But test this !

If you have no open relay, and spamhaus blocked you because you send spam, then I think it's an malicious script. Check your processes, rootkits, customer files, etc...

 

[floyd]

I see a lot of complaining but no evidence for us to look at. You have not given us any ip addresses, no domains, no examples of blocked email. Without this stuff I have no idea how to help you.

 

[uollan]

Sorry to say that: But get an admin who knows what to do.

Thank you Axif... i know that! but i must try, i've worked with sendmail, qmail and now with exim... i'm not soo good to configure it and also i'm working to approch mail server admin! and i think "no one is born as a sysadmin"!

If you were blocked some times over the last two month, you got enough time to fix your problems. So I think it's okay that spamhaus locked you.

Of course, i love what spamhaus do for us, but i think also that you can have big problems with you server with 100 or more domains and your customers cannot send e-mail with your smtp!

There are several tools out on google where you can check if you have run open relay.

Yes. i did it! it's not an open relay!

If you have an open relay you need to fix that ASAP! (As said, if you don't know how, get one who knows it).

I will read also about it!

If you run the standard config of DA you should not have an open relay. But test this !

No changes in the original exim.conf and DA is updated with the latest version.

If you have no open relay, and spamhaus blocked you because you send spam, then I think it's an malicious script. Check your processes, rootkits, customer files, etc...

I've checked processes, i've captcha in all website forms (one per one), no viruses, no customer files (i've created all the php5 scripts), no cgi! maybe they use the phpmailer class to do that?!?

I think they send e-mails with telnet!
I've tryed to do some tests... i can only send e-mails from ME to Me without auth !

I see a lot of complaining but no evidence for us to look at. You have not given us any ip addresses, no domains, no examples of blocked email. Without this stuff I have no idea how to help you.

Thank you floyd for you help again... i havent found the solution!
The address is 81.31.149.36 - my email and domain for test [email protected].

Every help will be great!!!
Thank you in advance.... really!

 

[floyd]

Yes. i did it! it's not an open relay!

I think they send e-mails with telnet!

These two statements connot be reconciled. They cannot both be true. Sending email by telnet is the same as using a mail client. So either its an open replay or not.

i'm working to fix it but i don't know what to do!

Follow the instructions in the rejected email or the log file. http://cbl.abuseat.org/lookup.cgi?ip=81.31.149.36
Have you requested delisting from CBL?

 

[uollan]

I've finish now to check all domain scripts, all the scripts to send are in php5 with captcha and i use phpmailer to send e-mails!

These two statements connot be reconciled. They cannot both be true. Sending email by telnet is the same as using a mail client. So either its an open replay or not.

ok... i've checked the logs, but i don't know what i've to look in order to find the solutions... : (


Follow the instructions in the rejected email or the log file. http://cbl.abuseat.org/lookup.cgi?ip=81.31.149.36
Have you requested delisting from CBL?

Yes, the server was listed in Spamhaus, i've removed it several times!
Thanks again floyd!

 

[floyd]

Sounds like you need professional help.

 

[HMTKSteve]

Try http://www.dnsqueries.com/en/domain_check.php to get a quick look at your email settings. That site will let you know if you have an open relay among other issues.

 

[uollan]

Try http://www.dnsqueries.com/en/domain_check.php to get a quick look at your email settings. That site will let you know if you have an open relay among other issues.

Hi Steve,

Thanks for you replay, i've tested the server:
It's not an open relay and no errors except this one:

Acceptance of domain literals
Result KO
Not all of your mailservers accept mail to postmaster@[ip_address] (Literal format). RFC1123 5.2.17 require all mailservers to accept mail to this kind of address. This is a common problem and actually can be ignored.The report of the test is:

Does not accept mail to postmaster@[ip_address]


I must create a postmaster e-mail address ?!?

 

[AxlF]

"no one is born as a sysadmin"!

That is true. Everyone needs to learn, and everyone is doing mistakes. I don't want to blame you!

From an outstanding point of view, i think, you should assume responsibility towards your customer.
It is not a shame to recognize that somebody can't solve his problems himself at the moment. The opposit is true!

Hire somebody to get this fixed. Ask floyd or smtalk here in the forums. That's the two I know who can be hired for such things.

 

[uollan]

That is true. Everyone needs to learn, and everyone is doing mistakes. I don't want to blame you!

From an outstanding point of view, i think, you should assume responsibility towards your customer.
It is not a shame to recognize that somebody can't solve his problems himself at the moment. The opposit is true!

Hire somebody to get this fixed. Ask floyd or smtalk here in the forums. That's the two I know who can be hired for such things.

No problem Axif and thank you for your help!
Cheeerrss!

 

[floyd]

Send me a pm with your server root login information and I will look at it for free and let you know what I find.

 

[nobaloney]

The posted IP# is not listed in CBL.

And yes, a server is NOT technically an open relay if email is being sent by a different program other than the MTA.

And it won't then test as an open relay even though it could be sending a lot of spam.

Also a spammer with an account on the server could be sending spam; it doesn't have to be an open relay for that to occur.

Jeff

 

[floyd]

It was listed in CBL when I checked it. Apparently he has a continuing problem as he has stated that he has had to request removal several times.

 

[uollan]

Thank you!

I've found the bug (i hope),
There was an old form script (without captcha) re-uploaded from one of my customers!!! I've only 2 customers with FTP access, i've checked all the domains "one by one" 3 times... but... i've not see this script! uff!

I'm not listed now in CBL and i hope in future also.
Thank you very very much to all !!!

 

[uollan]

OH NOOOOOO !!!!

I'M LISTED AGAIN ON CBL (AFTER 4 DAYS).... UFFFFF !!!!

I receive also duplicated e-mail... i receive the same e-mail few times.

bah....

 

[Dravu]

OH NOOOOOO !!!!

I'M LISTED AGAIN ON CBL (AFTER 4 DAYS).... UFFFFF !!!!

I receive also duplicated e-mail... i receive the same e-mail few times.

bah....

Check your mail log. See who's the one sending all the spam.

 

[floyd]

See posts #7 and #10 and #12.

 

[uollan]

I've read the logs and it was a virus in a customer pc, so i'm not listed again.
Thank you for the support... i'm now a student of mail servers and i will work to understand (i can do it!!! : ).

I have only some questions:

I'm looking mail logs every day and i see that there is only one domain (ex: abc.com) attacked to many inexistents e-mail addresses (ex: [email protected] [email protected], fu*[email protected])...
no catch-all e-mail... is it normal?
only 1 domain of 40+ domains receive these attacks? sound strange for me!

I've a lot of e-mail in queue (spam) that will not received (i think and i hope)... it is normal too? 4 and more days in queue...

Can i stop e-mail sent from a malicious sender?

How many spam do you receive per e-mail address?!?

thank you to all...
cheeerrrssss

 

[nobaloney]

I just noticed your thread topic, and I thought I'd point out that Spamhaus isn't blocking you. They're merely listing the fact that your server has been sending spam; it's up to people like us to decide if we want to block you for that. No one, not even those of us who use DirectAdmin, must use Spamhaus.

I've read the logs and it was a virus in a customer pc, so i'm not listed again.
Thank you for the support... i'm now a student of mail servers and i will work to understand (i can do it!!! : ).

And that's a good thing .

I'm looking mail logs every day and i see that there is only one domain (ex: abc.com) attacked to many inexistents e-mail addresses (ex: [email protected] [email protected], fu*[email protected])...
no catch-all e-mail... is it normal?

I'm not sure what you mean. Do you use abc.com to represent the domain on your server that receives the spam? Or do you use it to represent the domain that's sending it?

only 1 domain of 40+ domains receive these attacks? sound strange for me!

Maybe that domain has made enemies?

I've a lot of e-mail in queue (spam) that will not received (i think and i hope)... it is normal too? 4 and more days in queue...

Generally email in the queue is not waiting for delivery to your server, but rather for delivery off your server. Generally a properly configured DirectAdmin server won't accept email it can't immediately deliver. Often mail stuck in the queue is mail that misconfigured email servers think was sent by you, so they send it back to you, and your system can't return it to the real sender. If it's been in the queue four or more days then it's probably going to get removed shortly, but you can change settings in exim.conf so it won't stay that long, or you can clean the queue at any time; there are posts in these forums that tell you how to do that.

Can i stop e-mail sent from a malicious sender?

If you can identify either the sender email address, or the domain name you want to block, or the sending mail server, you can set SpamBlocker to block it.

How many spam do you receive per e-mail address?!?

Using SpamBlocker, SpamAssassin, and the exim Spam Filters, actually very little.

Jeff